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ABSTRACT 



Fraud losses in a communication network are substantially 
reduced by automatically and selectively invoking one or 
more authentication measures based on a fraud score that 
indicates the likelihood of fraud for that particular call or 
previously scored calls. By selectively invoking authentica- 
tion on only those calls that are suspected or confirmed to be 
fraudulent, fraud prevention can be achieved in a way that 
both reduces fraud losses and minimizes disruptions to 
legitimate subscribers. Using telecommunication fraud as an 
example, a subscriber is registered in a system by collecting 
data on that subscriber based on the particular authentication 
method being used, such as shared knowledge (e.g., 
passwords), biometric validation (e.g., voice verification), 
and the like. Once registered, the authentication function for 
the subscriber's account is activated and subsequent calls are 
then scored for the likelihood of fraud during the call setup 
request phase. Fraud scoring estimates the probability of 
fraud for each call based on the learned behavior of an 
individual subscriber and the learned behavior of fraud 
perpetrators. If fraud is not suspected based on the fraud 
score, then normal call processing can resume without the 
need for authentication. If fraud is suspected based on the 
fraud score, then the system automatically invokes authen- 
tication. If authentication indicates suspicion of fraud, e.g., 
voice prints do not match, then the call may be either be 
blocked or referred for other appropriate prevention 
measures, e.g., intercepted by an operator. If fraud is not 
indicated by authentication, then normal call processing may 
resume. 

21 Claims, 5 Drawing Sheets 
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AUTOMATED AND SELECTIVE over time (e.g., days, weeks, months), establishing profiles 

INTERVENTION IN TRANSACTION-BASED for subscribers (e.g., calling patterns), and applying thresh- 

NETWORKS olds to identify fraud. These systems are not viewed as being 

particularly effective because legitimate users can generate 

CROSS-REFERENCE TO RELATED 5 usage that exceeds the thresholds and the amount of fraud 

APPLICATIONS mat can occur pri° r 10 detection and prevention is high (see, 

e.g., U.S. Pat. No. 5,706,338, "Real-Time Communications 

This application claims the benefit of U.S. Provisional Fraud Monitoring System" and U.S. Pat. No. 5,627,886, 

Application Serial No. 60/080,006 filed on Apr. 3, 1998, "System and Method for Detecting Fraudulent Network 

which is herein incorporated by reference. This application 1Q Usage Patterns Using Real-Time Network Monitoring"). 

is also related to U.S. application Ser. No. 09/283,672 filed Although speed in detecting fraud may be improved by 

Apr. 1, 1999, which is incorporated by reference herein. using technologies such as neural networking, statistical 

analysis, memory-based reasoning, genetic algorithms, and 

TECHNICAL FIELD other data mining techniques, improved fraud detection 

_ . . . alone does not completely solve the problem. In particular, 

This invention relates generally to transaction-based net- is even ^ugh systems incorporating these techniques may 

works and, more specifically, to an automated approach for receive and process individual call data on a near real-time 

selectively invoking processes in transaction-based net- basis in an attempt to detect fraud, these systems still do not 

works based on automated analysis of usage such as, for respond to the detected fraud on a real-time or near real-time 

example, selectively invoking automated authentication basis. In one example, a system may generate an alert to an 

mechanisms based on analysis of usage to determine the 20 investigator in a fraud, network monitoring or operations 

likelihood of fraud in communication networks. center. However, an alert becomes part of an investigation 

queue and will generally not be examined or acted upon 

BACKGROUND OF THE INVENTION immediately, thereby resulting in a significant amount of 

^ , , - . . . . , , latency in responding to the detected fraud. Because of the 

Fraudulent use of communication networks is a problem reactive nature of mese tems ^ res ondin to detected 

of staggering proportions. Using telecommunication net- fraud , a considerable amoum of financial loss is still incurred 

works as an example, costs associated with fraud are esti- 5y serv ice providers and customers after the alert is gener- 

mated at billions of dollars a year and growing. Given the atcd Furthermore, automated prevention based on inaccu- 

tremendous financial liability, the telecommunication indus- ra t e detection will result in the disruption of service to 

try continues to seek ways for reducing the occurrence of legitimate subscribers. 

fraud while at the same time minimizing disruption of Various forms of authentication-based systems have also 

service to legitimate subscribers. been proposed for use in combating fraud. Voice verification 

Although there are many forms of telecommunication is one such authentication technique in which a caller's 

fraud, two of the most prevalent types or categories of fraud voice sample is compared with a previously stored voice 

in today's networks are theft-of-service fraud and subscrip- 35 P rint - Although voice verification may meet some of service 

tion fraud. For example, theft-of-service fraud may involve providers' requirements for reducing fraud, the prior art 

the illegitimate use of calling cards, cellular phones, or systems implemenfing this type of authenticauon technique 

telephone lines, while subscription fraud may occur when a have significant disadvantages in terms of the disruption in 

perpetrator who never intends to pay for a service poses as ser T lce tokgunnate subscribers In particular, interrupting 

rr . ou'** * juu each call during call setup to perform voice verification is a 

a new customer. Subscription fraud has been particularly , n * i * u L ^ 

, , , i c .i i . r 40 nuisance to legitimate subscribers and an unnecessary waste 

difficult to detect and prevent because of the lack of any of caH * ssi and fraud prcvcntion rcS ources. 

legitimate calling activity in the account that could other- Furtnennorej mis type 0 f authentication scheme can intro- 

wise be used as a basis for differentiating the fraudulent duce a substantial of costs and UDrjeC essary delay in 

activity. In either case, losses attributable to these types of processing calls in the network. 

fraud are a significant problem. One specific example of a fraud prevention system 

Many companies boast of superior fraud detection in their employing voice verification is described in U.S. Pat. No. 

product offerings; however, the fact remains that a compre- 5,623,539. In this example, a line is constantly monitored, 

hensive fraud management system does not exist which transparent to the users, and voice signal analysis is used to 

addresses the operational and economic concerns of service determine whether at least one participant in the telephone 

providers and customers alike. For example, a common 50 conversation is legitimate. More specifically, voice signal 

disadvantage of most systems is that detection of fraud analysis is used to segregate speech information of the 

occurs after a substantial amount of fraudulent activity has parties and compare this information with stored voice print 

already occurred on an account. Moreover, some fraud information. In addition to the above shortcomings, this 

prevention measures implemented in today's systems, which system is also highly impractical both in terms legal and 

are based solely on inaccurate detection mechanisms, can be 55 social aspects (e.g., invasion of privacy) as well as technical 

quite disruptive to the legitimate customer. As a result, and operational issues (e.g., activated all the time, calls must 

customer "churn" may result as customers change service already be in progress, etc.). 

providers in search of a more secure system. Another example of an authentication-based system is the 
In general, the shortcomings of prior systems are readily Roamer Verification Reinstatement (RVR) feature in wire- 
apparent in terms of the amount of time that is required to 60 less networks. Some RVR implementations use voice veri- 
detect and respond to fraud. For example, fraud detection fication when a caller attempts to use service outside of his 
based on customer feedback from monthly bills is not an or her home calling area. Although this authentication tech- 
acceptable approach to either service providers or custom- nique is less intrusive than the previous example, RVR 
ers. Automated fraud detection systems based on "thresh- cannot effectively address fraudulent use of the system 
olding" techniques are also not particularly helpful in man- 65 within the home area because it is based on initial startup 
aging fraud on a real-time or near real-time basis. For conditions (e.g., outside home area) instead of some form of 
example, thresholding typically involves aggregating traffic fraud scoring. 
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SUMMARY OF THE INVENTION 

Fraud losses in a communication network are substan- 
tially reduced according to the principles of the invention by 
automatically and selectively invoking one or more authen- 
tication measures on a particular call as a function of scoring 
calls for the likelihood of fraud. By selectively invoking 
authentication on only those calls that are suspected or 
confirmed to be fraudulent, fraud prevention can be achieved 
in a way that reduces fraud losses, reduces costs, and 
minimizes disruptions to legitimate subscribers. Moreover, 
selective authentication based on fraud scoring results in a 
more efficient use of call processing and fraud management 
resources. 

In one illustrative embodiment for reducing telecommu- 
nication fraud, a subscriber is registered in a system by 
collecting data on that subscriber based on the particular 
authentication method being used in the system. For 
example, the data to be collected for shared knowledge-type 
authentication may be passwords, while a voice print may be 
collected for a voice verification- type authentication. Once 
registered, the authentication function for the subscriber's 
account must be activated. By way of example only, acti- 
vation of authentication may be based on input from an 
integrated fraud management system which recommends 
authentication based on analysis of a suspected fraud case 
and/or call detail information or activation may be based on 
provisioning functions within the network. Subsequent calls 
are then scored for the likelihood of fraud during the call 
setup request phase. In general, fraud scoring estimates the 
probability of fraud for each call based on the learned 
behavior of an individual subscriber and the learned behav- 
ior of fraud perpetrators. If the usage is not indicative of 
fraud based on the analysis and the resulting fraud score, 
then normal call processing can resume without the need for 
authentication. If fraud is suspected based on the fraud 
score, then the system automatically invokes authentication. 
If authentication indicates suspicion of fraud, e.g., voice 
prints do not match, then the call may be either blocked or 
referred for other appropriate prevention measures, e.g., 
intercepted by operator or customer service representative. 
If fraud is not indicated by authentication, then normal call 
processing may resume. 

In sum, selective authentication according to the prin- 
ciples of the invention can be invoked on either a per-call or 
per- account basis, that is, based on current call score or 
based on a previous fraud case being managed by an 
integrated fraud management system. 

BRIEF DESCRIPTION OF THE DRAWING 
A more complete understanding of the present invention 

may be obtained from consideration of the following 

detailed description of the invention in conjunction with the 

drawing, with like elements referenced with like reference 

numerals, in which: 

FIG. 1 is a simplified flowchart of the method according 

to one illustrative embodiment of the invention; 

FIG. 2 is a simplified block diagram illustrating how call 

scoring is implemented according to one embodiment of the 

invention; 

FIG. 3 is a simplified block diagram of a system according 
to one illustrative embodiment of the invention; and 

FIGS. 4 and 5 are simplified block diagrams that show 
exemplary network configurations in which the principles of 
the invention may be used. 

DETAILED DESCRIPTION OF THE 
INVENTION 

Although the illustrative embodiments described herein 
are particularly well-suited for managing fraud in a tele- 
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communication network, and shall be described in this 
exemplary context, those skilled in the art will understand 
from the teachings herein that the principles of the invention 
may also be employed in other non-telecommunication 

5 transaction-based networks. For example, the principles of 
the invention may be applied in networks that support 
on-line credit card transactions, internet -based transactions, 
and the like. Consequently, references to "calls" and "call 
detail records" in a telecommunication example could be 

1(J equated with "transactions" and "transaction records", 
respectively, in a non- telecommunication example, and so 
on. Moreover, although the inventive principles are 
described in the context of fraud prevention systems in a 
telecommunications network, wherein automated authenti- 

15 cation mechanisms are selectively invoked based on analysis 
of usage to determine the likelihood of fraud, the principles 
of the invention can be applied to any type of automated 
approach for selectively invoking processes in transaction- 
based networks based on automated analysis of usage. 

2Q Accordingly, the embodiments shown and described herein 
are only meant to be illustrative and not limiting. 

FIG. 1 shows an exemplary method for preventing fraud 
in a communication network according to one embodiment 
of the invention. In general, registration step 101 involves 

25 the collection of data that is needed to support the particular 
authentication method being used in the system. As previ- 
ously described, the particular authentication technique may 
be a shared knowledge type (e.g., passwords) or biometric 
validation type (e.g., speaker verification, retinal scanning, 

30 fingerprinting, etc.). As such, the registration step 101 would 
involve the collection of appropriate data such as a voice 
print if speaker verification is used for authentication, pass- 
words or passcodes if shared knowledge authentication is 
used, and so on. Furthermore, the data collected in registra- 

35 tion step 101 may be unique for a single subscriber or may 
support multiple legitimate subscribers associated with the 
account. 

For a more detailed description of some exemplary 
authentication techniques which may be used in conjunction 

40 with the principles of the invention, see, e.g., U.S. Pat. No. 
5,502,759, U.S. Pat. No. 5,675,704, U.S. Pat. No. 4,363,102, 
and U.S. Pat. No. 5,677,989, each of which is herein 
incorporated by reference in its entirety. It should be noted, 
however, that these exemplary authentication techniques are 

45 only meant to be illustrative and not limiting in any way. As 
such, many other authentication techniques and systems 
suitable for use with the present invention will be apparent 
to those skilled in the art and are contemplated by the 
teachings herein. 

so By way of example, registration 101 may be invoked as 
a result of establishment of a new account or as a result of 
changes in the account that are monitored by an external 
process. Moreover, the data needed for authentication may 
be collected as a result of a subscriber dialing a registration 

55 number that connects to an authentication server or 
platform, for example. In this case, the registration process 
(step 101) would be carried out by the authentication server 
or platform. Alternatively, data needed for authentication 
may be collected by an externa] system, in which case, 

60 provisioning functions in the network would invoke the 
registration process (step 101) and provide the required data. 

After registration is completed in step 101, the authenti- 
cation function enters registered state 102 and is then 
available for use on that subscriber account. Once in regis- 

65 tered state 102, the authentication function on the account 
must then be activated as shown in step 104. In general, 
activation triggers 103 may originate from two sources, such 
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as a fraud management system or provisioning functions in measures can be implemented as shown in step 114, e.g., 

a network. In the first example, a fraud management system block call, route call to attendant, etc. If fraud is not 

such as that disclosed in related U.S. application Ser. No. suspected based on the results of authentication, then normal 

09/283,672, the subject matter of which is incorporated by ca ll processing can resume as shown in step 115. 

reference herein in its entirety may be used to trigger the 5 if automatic authentication is not desired as determined in 

activation of the selective authentication function. Briefly, 1Q ^ riate COQlrols m effected M ^ lhe 

this fraud management system analyzes cases of suspected * . f. r A A - no . iL . A 4 « n 

f j, i i *' t a * *• ii . system enters active sconng state 108. In this state, all calls 

fraudulent activity and automatically generates recommen- .„ , . c ... . - - \ 

» . ■ , j . . 4 i "1 j r j a v 109 will be scored for the likehhood of fraud in step 110. 

dations for responding to the suspected fraud. As such, one ™, • * L • j *n L j i. j 

f j j u . • i ^ ' ■ The particular scoring technique used will be described 

of the recommended responses may be to mvoke authenti- in , , • , . T ? f , . ^ 4 . , . t . 

. . if i_ r 11 *i_ ti i i_ below in more detail. If fraud is suspected based on the fraud 

cation on subsequent calls before allowing those calls to be , . . , f L , 4 

j Tu * * e * * ( * a ♦ score, as shown m step 111, then the system automatically 

processed. This type of output from a fraud management / 4 . r r ' „, , 7 . . t 3 

r . .-^ , v . . & i invokes authentication step 112 and subsequent steps as 

system can thus be used as an activation trigger 103 accord- . . , ujic^ j- . . j i_ . .. 

. , «. . . , *■ t* u u u previously described. If fraud is not suspected based on the 

mg to the principles of the present invention. It should be t. , iU in . 

. j *u * «u i * j j • ,i f fraud score, then normal call processing can resume as 

noted that the exemplary system described in the aforem en- 1<; . . 11f D . , . . „ . . 

, . . i- * - i »* u -11 * j shown m step 115. By selectively and automatically mvok- 

tioned patent application is only meant to be illustrative and a »■ r u • „ 

• a j- t * * v j l mg authentication as a function of call scoring according to 

not limiting in any way Accordingly, output supplied by £ ^ ^ of ^ te( , 6 fraud »• 

other fraud management systems could also be used as « J»- i j . . j * j iL • j L -i 

t . e in - ,/. . . « . * 4 u * effectively detected, prevented, or otherwise managed while 
activation triggers 103. It is important to note that the ••••»»,•*■ a a- .• ♦ i . u 
/ i *i > p ,i *\, . .. , minimizing the intrusion and disruption to legitimate sub- 
accuracy (e.g., selectivity) of the authentication scheme is a nn * , t . , , . . . 
c c?J e t i_ c j . . 20 senbers. Moreover, by triggering selective and targeted 
funcUon of the accuracy of the fraud management system. d r • • r j 
A , . r j * * -ii i* • authentication as a function of suspicious fraud scores 
As such, an accurate fraud management system will result id , „ X - 

u ■ i j ■ i_ * i_i * * j during call processing, service providers can more effec- 

authentication being invoked in a highly targeted manner. 4 - i j . c j 

. , , , lively respond to fraud as it occurs. 

Provisioning functions in a network may also supply _ . 

activation trigger 103 to activate the authentication function 25 FIG ' 2 I s « simplified block diagram showing one illus- 

according to the principles of the invention. More t^rative embodiment for scoring caUs accordmg to step 110 

specifically, the authentication function may be activated for fr ° m FIG ' \ In gene /±x CaU SC ° nDg P ba f d 00 L P ro .^ n S 

a particular account in response to a provisioning request ** erem a signature (202) representaUye of a subscriber s 

that is implemented for that account in the network. A calling pattern and a fraud profile (211) representative of a 

provisioning request may or may not be based on fraud- 30 ^ au J dul c en _ l c * Um 8 P^tern are used to determine the hkeh- 

related determinations. For example, a service provider may h u ood of &aud on a particular call. Scored call information is 

decide that the authentication function should be activated then slored < 201 ) *> r later retneval andused m 

based on a non-payment status in the account. Various and contmuous upda^ 

techniques for provisioning services and functions within a contro1 < 220 ) whlch wlU be Ascribed m more detail below, 

network, such as a telecommunication network, are well 35 As shown, call detail records are supplied from network 

known to those skilled in the art. 200 to cal1 scoring function 210. The generation of call detail 

When a call is received after activation in step 104, records in telecommunications networks is well known to 

selective authentication can be implemented in one of two mosc skilled in the art A subscriber's signature may be 

ways according to the exemplary embodiment shown in initialized as shown in block 203 using scored call detail 

FIG, 1. More specifically, a determination is made in step 4 o records from calls that have not been confirmed or suspected 

105 as to whether authentication should be automatically as fraudulent. Initialization may occur, for example, when a 

invoked regardless of subsequent call scoring. For example, subscriber initially places one or more calls. As further 

the aforementioned fraud management system may recom- shown in block 203 > stored subscriber signatures from block 

mend automatic authentication based on a case analysis 202 can ^en be updated using newly scored call detail 

which shows the likelihood of subscription type fraud. As 45 records from subsec ] uent calls that are not confirmed or 

previously described, subscription fraud occurs where a new suspected as fraudulent. As such, a subscriber's signature 

account is established for fraudulent use from the outset. As can ada P l 10 thc subscriber's behavior over time, 

such, the ability to differentiate fraudulent use from legiti- It should be noted that initialization of a subscriber's 

mate use is complicated by the fact that all calling activity signature can also be based on predefined attributes of 

on the newly opened account is fraudulent. By automatically 50 legitimate calling behavior which may be defined by his- 

authenticating subsequent calls in this case, a voice print torical call records and the like. In this way, subscription 

from a suspected subscription fraud perpetrator could be fraud can be detected more readily because a legitimate 

matched with a previously stored voice print associated with subscriber's signature, even at the very early stages of 

a previous known subscription fraud case. Other techniques calling activity, can be correlated with the expected (or 

may also be employed to better detect and prevent subscrip- 55 predicted) behavior of legitimate callers. As such, any 

tion type fraud. Moreover, automatic authentication may be immediate fraudulent calling behavior on a new account, for 

desirable for reasons other than for subscription fraud cases. example, will not provide the sole basis for initializing the 

Therefore, the automatic authentication feature gives a ser- subscriber signature. 

vice provider further control of when and how authentica- It should also be noted that a subscriber signature may 

tion is invoked in the system. eo monitor many aspects of a subscriber's calling behavior 

Following with the scenario where a determination is including, but not limited to: calling rate, day of week 

made in step 105 to automatically authenticate subsequent timing, hour of day timing, call duration, method of billing, 

calls, appropriate controls are effected so that the system geography, and so on. Consequently, a signature may be 

enters active authentication state 107. Subsequent calls 109 derived from information that is typically contained within 

are then authenticated in step 112 using the authentication 65 the call detail records, such as: originating number; termi- 

method of choice. If fraud is suspected based on the results nating number, billed number, start time and date; originat- 

of authentication in step 112, then appropriate prevention ing location; carrier selection; call waiting indicators; call 
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forwarding indicators; three-way calling/transfer indicators; coupled to network 200, which services a number of 
operator assistance requests; and network security failure subscribers, such as subscriber 224. Provisioning function 
indicators, to name a few. The particular elements to be used 250 is coupled to and communicates with each of network 
for establishing and updating a subscriber signature may 200, call control function 220, call scoring function 210, and 
depend on the type of network (e.g., wireline, wireless, 5 authentication function 225. It will be appreciated that the 
calling card, non- telecommunication, etc.), the particular functions described herein may be implemented using corn- 
scoring method being used, as well as other factors that puter hardware and software programmed to carry out the 
would be apparent to those skilled in the art. associated functions and operations. 

Generally, each call will be scored depending on how the In operation, origination of a call by subscriber 224 in a 

call compares to the subscriber's signature retrieved from 1Q telecommunications network 200 will cause several actions 

block 202 and how it compares to a fraud profile retrieved to occur. First, a request for call setup is issued to call control 

from block 211. By way of example, fraud profiles can be 220. Call control 220 carries out several functions in 

initialized and updated (block 212) using scored call detail response to the call setup request. For example, call control 

records from confirmed or suspected fraudulent calls. In a 220 analyzes the call setup request, conditionally invokes 

simplified example, a high fraud score is generated if the call 1S call scoring 210 and/or conditionally invokes authentication 

details represent a suspicious deviation from known behav- 225, and may subsequently complete the call and/or gener- 

ior and a low fraud score is generated if the call details ate appropriate call detail record(s). In particular, call control 

represent highly typical behavior for the subscriber account 220 operates in conjunction with call scoring 210 and 

in question. In addition to providing an overall fraud score authentication 225 to carry out the steps previously 

as output from call scoring function 210, the relative con- 20 described in the flowchart of FIG. 1. 

tribuuons of various elements of the call to the fraud score In sum, call scoring function 210, when invoked or 

should also be included for case analysis purposes, which is otherwise activated, scores calls based on the call detail 

described in further detail in related U.S. application Ser. records supplied by call control function 220 and provides 

No. 09/283,672. For example, contributions of the following the basis for a decision as to whether authentication needs to 

elements may be included for subsequent case analysis: day 25 be invoked for the particular call. Authentication function 

of week; time of day; duration; time between consecutive 225 receives data about or from user 224 either directly via 

calls; destination; use of call waiting; use of call forwarding; a connection established by call control 220 or indirectly via 

use of three-way calling; use of operator services; origina- services provided by call control 220. The type of data 

tion point; use of roaming services (wireless only); number supplied to authentication function 225 will vary depending 

of handofls during call (wireless only); appearance of net- 30 on the type of authentication method being used, e.g., voice 

work security alert; carrier selection; and use of international print analysis, other biometric analysis, password, and so on. 

completion services. Again, this listing is meant to be Provisioning function 250 changes the state of information 

illustrative only and not limiting in any way. in call control 220, call scoring 210, and authentication 

Because call scoring is carried out on a customer-specific function 225 based on requests generated by any one of 

and call-by-call basis, a more precise fraud score can be 35 those systems or by an external system (not shown), 

obtained that is more indicative of the likelihood of fraud Additionally, provisioning function 250 may be used to 

while reducing the amount of false alarms (i.e., "false implement appropriate actions in conjunction with network 

positives*'). Furthermore, to accurately perform call scoring 200 for a particular call based on the call scoring and 

on a call-by-call basis, those skilled in the art will recognize authentication processes. 

that one suitable implementation would be to execute the 40 FIGS. 4 and 5 show an Intelligent Network (IN)-based 

above-described functions using a real-time processing plat- architecture and an adjunct -based architecture, respectively, 

form. One such exemplary real-time processing platform is in which the principles of the invention may be used. It 

Lucent Technologies' QTM™ real-time transaction process- should be noted that the principles of the invention can be 

ing platform, which is described in an article by J. Baulier used in many different types of network architectures. As 

etal., "Sunrise: A Real -Time Event -Processing Framework", 45 such, the exemplary network architectures shown and 

Bell Labs Technical Journal, Nov, 24, 1997, and which is described herein are meant to be illustrative only and not 

herein incorporated by reference. limiting in any way. 

It will be apparent to those skilled in the art that many Referring to FIG. 4, user 424 may be supported by any 

different call scoring techniques may be suitable for imple- type of customer premise equipment or mobile transmitter, 

menting the functionality of call scoring function 210 as 50 In this illustrative embodiment, call control 420 is imple - 

described above. In particular, call scoring techniques based mented in three nodes in the Intelligent Network (IN) 

on statistical analysis, probabilistic scoring, memory -based architecture, those being Service Switching Point (SSP) 421, 

reasoning, data mining, neural networking, and other meth- Signal Transfer Point (STP) 422, and Service Control Point 

odologies are known and are contemplated for use in con- (SCP) 423. Service Switching Point 421 provides basic 

junction with the illustrative embodiments of the invention 55 analysis of call set-up requests, routes calls, and sends 

described herein. Some examples of these methods and requests for service processing guidance to Service Control 

techniques are described in Fawcett et al, "Adaptive Fraud Point 423. Service Control Point 423 makes service 

Detection", Data Mining and Knowledge Discovery 1, decisions, requests call scoring support from call scoring 

291-316 (1997) and U.S. Pat. No. 5,819,226, "Fraud Detec- function 410, and instructs Service Switching Point 421 to 

tion Using Predictive Modeling", issued Oct. 6, 1998, each 60 route calls to authentication function 425 when appropriate, 

of which is herein incorporated by reference. Communication among Service Switching Point 421, Ser- 

F1G. 3 is a simplified block diagram showing one ilfus- vice Control Point 423, and, if desired, authentication func- 

trative embodiment of a system for controlling fraud in a tion 425, is supported by a common channel signaling 

typical telecommunication network according to the prin- network in which messages may be routed by one or more 

ciples of the invention. As shown, system 300 includes call 65 of Signal Transfer Points 422. Call scoring function 410 

control function 220 coupled to call scoring function 210 could be implemented in a separate operations system. As 

and authentication function 225. System 300 is further such, the interface between call scoring function 410 and 
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call control 420 is Service Control Point 423 via an opera- follows. The subscriber 424 dials a call which is interpreted 

tions interface capable of call processing speeds and reli- by SSP 421 as requiring additional services. This is usually 

ability. Authentication function 425 can be supported either based on the dialing of the call, such as the dialing of a 0+ 

in a separate services node, e.g., an authentication server as prefix or a toll-free number associated with operator ser- 

shown, or within Service Control Point 423. Provisioning is s vices. Through interaction with SSP 421, the subscriber 

carried out in Service Management System 450. identifies that calling card services are requested and enters 

T | j . • * , . , . ™~ - his/her card number. The card number is transmitted to SCP 

In one possible adjunct implementation shown in FIG. 5, P ... . , t . t . . 

i ♦ j t u- i ! 423 for vahdation, which also recognizes that scormg and 

all call control is implemented within a switching element ■ ■ 4 . 4 , & iL . A 

em £. j * / • \ j iL authentication have been activated on this account. While 

510, while fraud management (e.g., scormg) and authenti- ... - . . , . 

. j \ V b/ . e * A nn validating the card, SCP 423 also transmits a scoring request 

cation services are supported out of a common adjunct 520. 10 t . 6 . 1A ' . ... , . 4 6 . M i 

™ . 4 - , 4 t.. i . em j j- . t0 sconng 410 which will respond with an instruction to 

The interface between switching element 510 and adjunct . . ~f ^ t tU „ tU u j- . eon 

c - n , . & n . • ,• • either authenticate the call, process the call according to SCP 

520 may be any link supporting call set-up signaling, service ... . , 4 4 . x , * 

.. J . . , ,. ° . »u V * * j o • validation (without authentication), route the call to an 

signaling and voice trunking, such as the Integrated Services 4i , 4 v , iL „ / T . t . 

Dirital Network (ISDN) Basic Rate Interface (BRI) or attenda nt, or deny the call entirely. If the response is to 

n ■ „ , x . c /nni\ r • n * k authenticate, the SCP 423 will send an instruction to the SSP 

Primary Rate Interface (PRI). In this illustrative 1 5 „ t . . * 4 , „ t 4 . 4 . # . .. c . t . t . t . 

. J t . . 4 , . i ' 1 • r 421 to route the call to authentication 425. Authentication 

implementation, switching element 510 provides analysis of ... ... A . , ., , . 

call set-up requests, makes service decisions, requests call w " ^ n « n g e subscriber 424 us.ng whatever 

\ j* * ma j . . « « 4 authentication techmque(s) it employs. The result of authen- 

sconng support from adjunct 520, determines whether to , # m u- \ ■ \ j * .i_ ^-v* 

. 11 . j ■ .map .u V .* j . *i_ Ucation (pass, fail, ambiguous) is returned to the SCP 423 

route calls to adjunct 520 for authentication and routes those . iL ^rT!.-, ™ o>™ j j . . , 

. * * j * * ma • j ii • , iU j . on via the SSP 421. The SCP then decides whether the call 

calls. Adjunct 520 provides call sconng and authentication. 20 . . n ^j-j .j. .j.j 

... .. A . to t ... should be allowed, denied or routed to an attendant and 

Provmomng again, is carried out in a separate provisioning 421 accoldingly . Optionally, the SCP 423 will 

system 530 that is connected to all elements. ., . - t . T y . . iA - 

7 provide information on authentication to scormg 410 for 

The basic flow described above can be applied to a variety case mana g em ent purposes, 

of telecommunications services. One illustrative but not {{ shouW ^ be noted ^ implementation of m . call 

limiting example is calling card. A brief descnption of the evention for callin card scrviccs can also be carried out 

processing performed by typical calling card services in the ^ muW le latforms . According i y) varioU s modifica- 

absence of in-call fraud prevenUon is first provided to assist ^ tQ ^ ^ m [ emeotatioD details of me pr i nci pi e s of the 

in understanding how the principles of the invention can based onparticular services (e.g., calling card) and 

then be applied in the calling card context. ^ parlicular network configurations will be apparent to those 

FIG. 4, which provides one of many possible network skilled m fa c arl m v i ew 0 f tae teachings herein, 

implementations supporting calling card services, can illus- M described herein, the present invention can be embod- 

trate both provisioning and call processing. When a new ied m me form of methods apparatuses for practicing 

account is opened, information on the account is loaded those methods . ^ invention can also be embodied in the 

from service management system 450 into SCP 423. The 35 form of program code embodied in tangible media, such as 

subscriber 424 of the service is then able to use his/her card. floppy disketteS) CD-ROMs, hard drives, or any other 

The subscriber 424 dials a call which is interpreted by SSP machine-readable storage medium, wherein, when the pro- 

421 as requiring additional services. This is usually based on gram codc fa loaded mto md cxecutcd by a mac hine, such 

the dialing of the call, such as the dialing of a 0+ prefix or as a confer, the machine becomes an apparatus for 

a toll-free number associated with operator services. 4Q practicmg thc invention. The present invention can also be 

Through interaction with SSP 421, the subscriber identifies embodied in the form of program code, for example, 

that calling card services are requested and enters his/her whether stored in a storage medium, loaded into and/or 

card number. The card number is validated by SCP 423, executed by a machine, or transmitted over some transmis- 

which instructs the SSP 421 to complete the call, re-prompt sion medium , sucn as over electrical wiring or cabling, 

for card information, route the call to an operator or deny 45 through fiber opt i CSj or via electromagnetic radiation, 

service. wherein, when the program code is loaded into and executed 

In-call prevention may be applied to this service flow. by a machine, such as a computer, the machine becomes an 

Again, as an illustrative but not limiting example, consider apparatus for practicing the invention. When implemented 

FIG. 4. When new service on the card is opened, authenti- on a general-purpose processor, the program code segments 

eating information is collected either by an external system 50 combine with the processor to provide a unique device that 

and loaded by the service management system 450 into operates analogously to specific logic circuits, 

authentication 425, or is entered directly by the subscriber it should also be noted that the foregoing merely illus- 

into authentication 425. In the latter case, the subscriber is tbe principles of the invention. It will thus be appre- 

instructed to dial a particular number which is interpreted by c j ate d that those skilled in the art will be able to devise 

call control 420 as a request for connection into the authen- 5S various arrangements which, although not explicitly 

tication system 425. The authentication system 425 recog- described or shown herein, embody the principles of the 

nizes the call as a registration and collects required infor- invention and are included within its spirit and scope, 

mation from the subscriber. Once the authentication system Furthermore, all examples and conditional language recited 

is properly loaded, service management system loads the herein are principally intended expressly to be only for 

account information in SCP 423 and the service is ready for 60 pedagogical purposes to aid the reader in understanding the 

usc - principles of the invention and the concepts contributed by 

At some point in the history of the account, scoring 410 the inventor(s) to furthering the art, and are to be construed 

will determine that authentication should be activated, based as being without limitation to such specifically recited 

on call detail records. Scoring 410 will issue a request via examples and conditions. Moreover, all statements herein 

service management system 450 to activate authentication. 65 reciting principles, aspects, and embodiments of the 

In this example, assume that score-based authentication is invention, as well as specific examples thereof, are intended 

requested. Once activated, subsequent calls are processed as to encompass both structural and functional equivalents 
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thereof. Additionally, it is intended that such equivalents ing the subscriber signature and learned behavior of fraudu- 

include both currently known equivalents as well as equiva- lent calling activity comprising the fraud signature, 

lents developed in the future, i.e., any elements developed 5. The method according to claim 1, wherein the at least 

that perform the same function, regardless of structure. one authentication measure is selectively invoked on calls 

Thus, for example, it will be appreciated by those skilled s suspected of being fraudulent and calls confirmed to be 

in the art that the block diagrams herein represent conceptual fraudulent based on the fraud score, 

views of illustrative circuitry embodying the principles of 6 - A mctho ? . for controlling a network where transactions 

the invention. Similarly, it will be appreciated that any flow occur > comprising the step of: 

charts, flow diagrams, state transition diagrams, automatically and selectively invoking at least one pro- 
pseudocode, and the like represent various processes which cess during a particular transaction based on automated 
may be substantially represented in computer readable 10 analysis of usage in the network wherein the at least 
medium and so executed by a computer or processor, one process is selectively invoked to reduce fraudulent 
whether or not such computer or processor is explicitly activity in the network on a targeted basis thereby 
shown. reducing disruptions to legitimate activity in the net- 

The functions of the various elements shown in the work, 
drawing may be provided through the use of dedicated is 7> ^ method accor ding to claim 6, wherein automated 
hardware as well as hardware capable of executing software ^ ^ of m ±c QctwQ± includcs idcnlifying thc 
in association with appropriate software. When provided by 1^^ of frjmd for transactions occurring in the network, 
a processor, the functions may be provided by a single 8 . Amethod for reducing fraudulent activity in a telecom- 
dedicated processor, by a single shared processor, or by a munication aet work, comprising the steps of: 
plurahty of individual processors, some of which may be M isterin a subscriber by collecting information on that 
shared. Moreover, a processor or controller should not , .f , . . c t r , t 
. c i uip subscriber, wherein the information corresponds to a 
be construed to refer exclusively to hardware capable of , ' 4 . A . r 
executing software, and may implicitly include, without prescribed authentication measure; 
limitation, digital signal processor (DSP) hardware, read- activating the prescribed authentication measure for that 
only memory (ROM) for storing software, random access subscriber's account; 

memory (RAM), and non-volatile storage. Other hardware, 25 scoring a call for the likelihood of fraud during a call 

conventional and/or custom, may also be included. setup request phase; and 

Similarly, any switches shown in the drawing are conceptual if fraud is suspected based on the scoring step, automati- 

only. Their function may be carried out through the opera- ca u y and selectively invoking authentication for the 

tion of program logic, through dedicated logic, through the ca n. acc0 rding to the prescribed authentication measure, 

interaction of program control and dedicated logic or even 30 whereb fraudulent activil in the Qetwork is reduced on 

manually, the particular technique being selectable by the & d ^ thereb redud ^ tions to , iti . 

implementor as more specifically understood from the con- mate m ^ Detwork 

r t * j r 9. The method according to claim 8, further comprising 

In the claims hereof any element expressed as a means for me of tf authentication indicates of frmd> 

performing a specified function , is intended to encompass 35 me qj mQK ibed caU me!lsmes . 

any way of performmg that funcUon including, for example 1Q ^ hod to daim 9 whcrcin the st of 

a) a combina .on of circuit element which performs that Qne Qr more £ bed caU processing measure s is 

function or b) software m any form mcluding, therefore, & lected ^ ^ consisting of blocking the 

firmware microcode or the like, combmed with i appropriate ^ ^ mdaaiag me call> ^ r £ uting me ^ t0 M op^o,. 

circuitry for executing that software to perform the function. 40 U . The accor ding to claim 8, wherein the pre- 

The invention as defined by such clauns resides ui the fact authentication measure k voice V6ri fi ca tion, and 

that the functionalities provided by the various recited whereinthe ste of registeringinc i ude s the step of collecting 

means are combmed and brought together in the manner a yoice ^ & ^ Lbscriber. 

which the clauns call for. Apphcants thus regard any means u ^ memod accordi , 0 claim 8 wherejn ^ st of 

which can provide those functionalities as equrvalent to ^ activating mckdes the J p of receiving kp|lt ^ m 

Wh t ° ""l • . external fraud management system that recommends 

a is c aime is. ... authentication based on analysis of a suspected fraud case. 

1. A method for reducing fraudulent activity in a telecom- 13 ^ method t0 claim 8 , wherein a fraild 
munication network, comprising the step of: SCQre of m individual call ^ * epresentativ e 0 f the likelihood 

automatically and selectively invoking at least one ^ of &aud based on the lean]ed behavior of a subscriber 

authentication measure during a call processing state comprising a subscriber signature and the learned behavior 

for a particular call as a function of scoring calls for the 0 f fraudulent calling activity comprising a fraud profile, 

likelihood of fraud, wherein the at least one authenu- 14, The method according to claim 8, wherein the pre- 

cation measure is selectively invoked based on a fraud scribed authentication measure is biometric validation, and 

score, the fraud score being derived as a function of a wherein the step of registering includes the step of collecting 

legitimate subscriber signature and a fraud signature, 55 biometric information for the subscriber, 

such that fraudulent activity in the network is reduced IS. The method according to claim 8, wherein the pre- 

on a targeted basis thereby reducing disruptions to scribed authentication measure is shared knowledge -based 

legitimate activity in the network. verification. 

2. The method according to claim 1, wherein the at least 16- method according to claim 8, wherein the step of 
one authentication measure is selected from the group 60 registering is triggered by an event selected from the group 
consisting of voice verification, biometric validation, and consisting of establishment of a new account and monitored 
shared knowledge-based verification. changes to an existing account. 

3. The method according to claim 1, wherein scoring is 17 Th e method according to claim 8, wherein the step of 
done on a call-by-call basis using a real-time transaction activating includes the step of receiving a provisioning 
processing platform. 65 request. 

4. The method according to claim 1, wherein the fraud 18. A system for reducing fraudulent activity in a network, 
score is based on learned behavior of a subscriber compris- comprising: 
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means for scoring calls in the network and for generating 
a fraud score indicative of the likelihood of fraud; and 
means, responsive to the fraud score for automatically and 
selectively invoking at least one authentication mea- 
sure during a call processing state for a particular call, 
such that fraudulent activity in the network is reduced on 
a targeted basis thereby reducing disruptions to legiti- 
mate activity in the network. 
19. The system according to claim 18, wherein the net- 
work is an intelligent network (IN) including one or more 
service switching points (SSPs), one or more signal transfer 
points (STPs), and one or more service control points 
(SCPs). 
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20. The system according to claim 18, wherein the net- 
work is an adjunct-based network. 

21. A method for reducing fraudulent activity in a tele- 
communication network, comprising the step of: 

5 responsive to call scoring, automatically and selectively 
authenticating a call, wherein call scoring provides an 
indication of the likelihood of fraud as a function of a 
legitimate subscriber signature and a fraud signature, 
such that fraudulent activity in the network is reduced 
on a targeted basis thereby reducing disruptions to 
legitimate activity in the network. 
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